- Newest
- Most votes
- Most comments
The "Invalid Client Token ID" error you're encountering when trying to assume a new role with AWS Security Token Service (STS) usually indicates an issue with the credentials associated with the AWS CLI profile you are using. Here are several steps and checks you can perform to troubleshoot and potentially resolve this issue:
- Verify the accuracy of the AWS credentials in your profile. Ensure they are active and correctly entered.
- Check the trust relationship of the role you're trying to assume. It must trust your account or user.
- Ensure the role's policy does not have conditions that restrict assuming the role based on IP or MFA that you might not be meeting.
- Confirm the role ARN is correctly specified without typos and matches the intended target role.
- Verify that your IAM user or role has the necessary permissions to perform the sts:AssumeRole action.
- If using session tokens with your credentials, ensure they are valid and not expired.
- Ensure the time on your local machine is correct. Significant time skew can cause requests to be considered invalid.
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
When you successfully assume the role using aws sts assume-role, AWS returns temporary security credentials (access key ID, secret access key, and a session token). You must use these temporary credentials for any further AWS CLI commands or SDK calls that require access to resources the role has permissions for.
That sounds great, except that I receive an error every time I try to assume the role using aws sts assume-role: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid. I need to troubleshoot this step first -- how do I successfully assume the role using this command? I really appreciate your ongoing support here!
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 21 days ago
Hi Mina,
Thanks for your quick response! I have some questions regarding these troubleshooting options.
"Check the trust relationship of the role you're trying to assume. It must trust your account or user." --- At current state, I cannot access the credentials or trust policies corresponding to the role ARN I have been provided, as the new role does not appear when I search in my team's AWS Admin account. Am I looking in the wrong place? My assumption is that once I assume the role for the first time, the role will become accessible from our account, and I will gain the ability to edit the trust permissions of the role. Is there a workaround I'm not aware of?
"Verify the accuracy of the AWS credentials in your profile. Ensure they are active and correctly entered." --- My profile name and security keys are entirely unique and unrelated to my AWS account and/or the role ARN. Are there requirements for these credentials that I may not be meeting (i.e., should they match those of our AWS Admin account, or the role ARN)? Given that I cannot currently access any information about the role, I do not know how to find the correct credential information.
I greatly appreciate your help!
Thanks,
Naomi
These are the instructions that I'm following:
Once a preference is setup, we provide you with a Role ARN and a S3 path. To access data in the S3 bucket you will need to assume the role provided. Only the AWS account Id mentioned in the exports settings has permission to assume role.
Accessing reports: (using AWS CLI - recommended to test if the setup is correct) Step 1: Assume the role provided in the exports settings.
aws configure --profile <Choose a profile name>
<Enter the secret key and access key of the AWS Account user which you are going to use for next steps>aws sts assume-role --role-arn <Role arn on your export page> --role-session-name AWSCLI-Session --profile <Your profile name>
<This step return new set of credential which are to be entered in the following commands>export AWS_ACCESS_KEY_ID=<Access output from above command>
export AWS_SECRET_ACCESS_KEY=<Secret access output from above command>
export AWS_SESSION_TOKEN=<Session token output from above command>
aws sts get-caller-identity (should return <Role arn on your export page>) If you face issues while assuming role and get an error message which includes “does not have permissions to assume role”, then attach or update the policy with below statement. This statement grants permission to assume the role mentioned under resources.
{ "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::491615475978:role/Export-Approvals-Web-345818695909-Role" ], "Effect": "Allow" }